<template> cannot appear alone.

[filedescriptor]

For example, <template> is removed but <div><template> is alright. Not sure if it is intended behavior?

Tested in latest Chrome and Firefox with DOMPurify 0.4.3.

[cure53]

That's actually expected behavior. And it relates to what happens for example with <style>:

<style> => ''
1<style> => '1'<style></style>

For the browser, a "naked" style (or template) element has document.body to be empty. The element will instead go to the header (document.head). Only if some content appears before the element, it will be part of the body. Look at doc.head - there you will find the template element ;)

You can work around that by setting WHOLE_DOCUMENT to true. Then you even get the header back.

[filedescriptor]

I get the idea. However, what would if I really want to have a clean <template></template> instead of this chunk <html><head><template></template></head><body></body></html>?

In addition, I think this behavior kind of breaks the point of jPurify - maybe I should file a bug there as well.

[cure53]

I understand. In DOMPurify you want to actually clean strings from unwanted code. So there, it doesn't really hurt if we keep following browser behavior. In jPurify however, people might want to use $() as a factory and create a clean <template> element. In that case, they empty return value would be a bug.

Yeah, I think a ticket for jPurify would be best. Thx!

[cure53]

Closed, as the jPurify issue has been fixed and DOMPurify is not supposed to be used as factory.